Tuesday, July 29, 2014

Pale Moon Version 24.7.0 Released

Pale Moon
Pale Moon has been updated to version 24.7.0.  In addition to fixing some performance issues with the new rendering engine on Windows, there are many other updates, including the following security and privacy fixes:

Privacy

  • Google SafeBrowsing, which is defunct, has been removed from the browser.
    Google SafeBrowsing no longer works in Pale Moon, and still having it in the browser and enabled caused a potential privacy issue by sending the domain check to Google. Considering the limited use of the service to begin with and defunct nature, removal was the only logical option.

Security

  • Updated the NSS library to 3.16.2 RTM to address a few critical SSL issues. 
  • There was a possibility to lose the source frame for raster images if images had to be discarded in low-memory situations. This has been fixed. 
  • Made refcounting logic around PostTimerEvent more explicit. 
  • Prevented an invalid pointer state in docloader. 
  • Added proper refcounting of font faces. 
Detailed information about this update is available in the Announcement.

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Tuesday, July 22, 2014

Mozilla Firefox Version 31.0 Released



Firefox

Mozilla sent Firefox Version 31.0 to the release channel. At this time, no security updates are listed as being included in the release.

Update:  Although not included in the Release Notes, the Security Fixes page now shows that the update includes three (3) Critical, four (4) High, two (2) Moderate and one (1) Low security updates.

Fixed in Firefox 31

  • MFSA 2014-66 -- IFRAME sandbox same-origin access through redirect
  • MFSA 2014-65 -- Certificate parsing broken by non-standard character encoding
  • MFSA 2014-64 -- Crash in Skia library when scaling high quality images
  • MFSA 2014-63 -- Use-after-free while when manipulating certificates in the trusted cache
  • MFSA 2014-62 -- Exploitable WebGL crash with Cesium JavaScript library
  • MFSA 2014-61 -- Use-after-free with FireOnStateChange event
  • MFSA 2014-60 -- Toolbar dialog customization event spoofing
  • MFSA 2014-59 -- Use-after-free in DirectWrite font handling
  • MFSA 2014-58 -- Use-after-free in Web Audio due to incorrect control message ordering
  • MFSA 2014-57 -- Buffer overflow during Web Audio buffering for playback
  • MFSA 2014-56 -- Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)
Highlights of the new version include a search field added to the New Tab Page and preferences to modify the browser.tabs.closeButtons was removed.  If you have modified close tabs, this update changes it to default (one close button for each tab).  To restore the setting, an add-on such as Classic Theme Restorer is suggested.

The issue introduced with version 29.1 that many users have experienced with slow shut downs resulting in the "Firefox is already running" warning continues unresolved.  In the meantime, Firefox users having this issue may want to refer to the KB article, "Firefox is already running but is not responding" error message - How to fix it.



What’s New

  • New -- Add the search field to the new tab pag  
  • New -- mozilla::pkix as default certificate verifier (learn more)
  • New -- Block malware from downloaded files (learn more)
  • New -- Partial implementation of the OpenType MATH table (section 6.3.6) see documentation about mathematical fonts and the MathML Torture Test for details
  • New -- Support of Prefer:Safe http header for parental control.
  • New -- audio/video .ogg and .pdf files handled by Firefox if no application specified (Windows only)
  • Changed -- Removal of the CAPS infrastructure for specifying site-specific permissions (via capability.policy.* preferences). Most notably, attempts to use this functionality to grant access to the clipboard will no longer work. The sole exception is the checkloaduri permission, which may still be used as before to allow sites to load file:// URIs.
  • HTML5 -- WebVTT implemented and enabled (learn more)
  • HTML5 -- CSS3 variables implemented (learn more)
  • Developer -- Numerous Developer Tools and other changes.  See Release Notes for details.
  • Fixed -- Search for partially selected link text from context menu (985824)

Known Issues

  • unresolved -- Slow shut downs lead to 'Firefox is already running' warning (see 966469 and 985655)
  • unresolved -- PDF.js: With some fonts, some characters might not be displayed. Affects a very small number of PDF (1028735)
  • unresolved -- Mac OS X and Windows: Citrix Receiver no longer works. As a workaround, mark the plugin as Always Enable in the addon manager (1025627)
  • unresolved -- GNU/Linux and Windows XP: Google Maps Street View displays a black screen (1034593)
  • unresolved -- Mac OS X: cmd-L no longer opens a new window when no window is available (1008793)

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Monday, July 21, 2014

WinPatrol v32 Update

WinPatrol Scotty

As I have said, "WinPatrol is the first program I install on my computers.  I recommend WinPatrol to my friends and to people I have helped with malware removal.  I wouldn't think of surfing without Scotty covering my back."

After the last update to WinPatrol, that statement needs to be supplemented to include that WinPatrol users are extremely dedicated to Scotty and not only quick to point out any quirks but also ready to help resolve those quirks.

Prior to the WinPatrol update to version 32, a dedicated group of WinPatrol users provided information to Bret and Bill about issues they were experiencing with Delayed Start.  Although the version 32.0.2014 update partially addressed the issues, there continued to be a bit of a problem.

Bret and Bill followed the discussion closely and Bret quickly provided a diagnostic tool so volunteers could provide the information he and Bill needed to resolve the remaining issues.  The end result was the release of WinPatrol version 32.0.2014.5. 

From WinPatrol 2014 Upgrade Version 32.0.2014.5
"Thanks to the quick reports from our dedicated fans a new release is available that resolves some errors due to a change to a new default folder. Using a new tool from Ruiware for inspecting registry data and the cooperation of folks in the Landzdown Forum we tracked down some remaining failures in the Delayed Start program list.

Other reports from the first day of downloading indicated some files from the previous BillP Studios folder we not copied to the new folder as planned. In particular, the history.txt was not copied and is useful if a startup program needed to be restored.

Quoting* Bill at LandzDown:
"It's been a long day but I need to let everyone know how grateful I am for help, patience and guidance. The posts we've read along with Bret's tool to inspect the data has been critical in finding problems with the initial release of version 32 quickly.

You'll find a new version 32.0.2014.5 which has a number of changes that will stablize the Delayed Start list.
I also thought I had considered the impact of having a new default folder but some of our thoughts were not implemented. I can't say for sure if the new version will include everything we wanted for folks who have installed 32.0.2014.5 but for new downloads, it will correctly copy any previous data in the BillP folder to the Ruiware folder.
If you still have the BillP Studios folder, you can manually copy the history.txt file to the Ruiuware folder. If you noticed any subfolders copy those as well.

Special thanks to Corine and the Landzdown folks for convincing me this was the place to have a WinPatrol Forum.

Thanks again,
Bill"
You can find the WinPatrol forum at LandzDown here: WinPatrol Help & Information.

*Minor typos corrected in quote.


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Saturday, July 19, 2014

WinPatrol v32.0.2014 From Ruiware Released!

WinPatrol Scotty

Through the combined efforts of Bill Pytlovany and Bret Lowry, version 32.0.2014 has been released.  As WinPatrol fans know, Bill will be consulting with Bret in the transition.  (More about Bret in my earlier post here.)

An important take-away from the information provided on the update at WinPatrol v32.0 from Ruiware is the included notice of Bret's commitment to everyone using WinPatrol both that the free version will continue and also that purchases of WinPatrol PLUS continues to be a lifetime license.

New Start Menu and System Tray Icons

After considerable discussion about the changes to the Scotty system tray icon, the following changes have been made:
  • The Scotty system tray icon now has Scotty on a green background.
  • When a scan for changes is in progress, the icon will have a yellow background
  • If a notification is generated, the icon will remain yellow until the change is accepted or rejected.
  • The Blue Orb will be used by the installer, wpsetup.exe. 
For anyone with a Start Menu, the tile icons will also change:  WinPatrol(Green), WinPatrol Explorer(Blue), Uninstall(Purple) and Help(Yellow).

Pale Moon

The problem of detecting Pale Moon cookies on computers where Firefox was not installed has been corrected.  If WinPatrol finds that Pale Moon has been installed it will include the Mozilla option for setting up cookie filters. 

Safe Update Version Info

The Safe Update button will now include version information for security programs Malwarebytes Anti-Malware and Microsoft Security Essentials when installed.

WinPatrol runs on Windows XP, Windows Vista, Windows 7 and Windows 8 systems, including x64 versions.

Download WinPatrol 32.0.2014!

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Tuesday, July 15, 2014

Oracle Java Critical Security Update

java


Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

This is a Critical Patch Update that contains 20 fixes for Java, the most severe having a rating of 10.0 relating to the vulnerability described in CVE-2014-4227 (currently listed as "reserved"). 

According to the Oracle Blog, seven (7) other Java SE client vulnerabilities have a CVSS Base Score of 9.3.  Although this means that a complete compromise of the client is possible, according to Oracle, aaccess complexity to exploit these vulnerabilities is “medium.”)   Additional details about the update are available in the Java Release Notes, referenced below.

Windows XP

There has been a lot of recent controversy regarding Java updates for Windows XP.  While Windows XP has reached end of life, Java 7 will continue to be updated until April, 2015.

Thus, organizations and individuals who must continue using Windows XP and have Java installed can also continue getting updates for Java 7.  It is noted, however, that if an issue arises that is specific to Windows XP, Oracle is not required to and also may not be able to create a patch.  For additional information, refer to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.


Download Information

Download link:  Java SE 7u65

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
  • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 14 October 2014
  • 20 January 2015
  • 14 April 2015
  • 14 July 2015

Java Security Recommendations

For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Java ControlPanel
(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, July 08, 2014

Microsoft Security Bulletin Release for July, 2014


Microsoft released six (6) bulletins today.  Two of the bulletins are identified as Critical, three as Important and one as Moderate.

The updates address 29 Common Vulnerability and Exposures (CVEs) in Microsoft Windows and Internet Explorer.

Critical:

  • MS14-037 -- Cumulative Security Update for Internet Explorer (2975687)
  • MS14-038 -- Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689)
Important:
  • MS14-039 -- Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685)
  • MS14-040 -- Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684)
  • MS14-041 -- Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681) 
Moderate:

  • MS14-042 -- Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621)

MSRT

Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Windows XP and Windows 8.1

As has been widely publicized, support for Windows XP and Office 2003 have ended.  Thus, there will be no further security updates for those products.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014. Although Microsoft has stopped providing Microsoft Security Essentials for download, that definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP. Important note for Windows 8.1 users:  Windows 8.1 Update Requirement Extended ____________ The following additional information is provided in the Security Bulletin:

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Adobe Flash Player Critical Security Update

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux.

Internet Explorer in Windows 8 systems will be updated via Windows Update.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated.

Update:  Catching up on my reading, I learned from Graham Cluley's article that the update is particularly important to install ASAP due to what is referred to as "Rosetta Flash – a tool which he says can convert any .SWF Adobe Flash file into one composed entirely of alphanumeric characters." 

Update Information

The newest versions are as follows:
Windows and Macintosh:  14.0.0.145
Linux: 11.2.202.394
Users of the Adobe AIR 14.0.0.110 SDK and earlier versions should update to the Adobe AIR 14.0.0.137 SDK.

Release date: July 8, 2014
Vulnerability identifier: APSB14-17

CVE number: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671

Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    • As requested by a Security Garden reader, the update information for the "Extended Release of Flash Player 11.7" can be found here. Note, however, that beginning May 13, 2014, Adobe Flash Player 13 for Mac and Windows replaced version 11.7 as the extended support version.
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References







    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Thursday, July 03, 2014

    Microsoft Security Bulletin Advance Notice for July 2014

    Security Bulletin
    On Tuesday, July 8, 2014, Microsoft is planning to release six (6) bulletins.  Two of the bulletins are identified as Critical, three as Important and one as Moderate.

    The updates address vulnerabilities in Microsoft Windows and Internet Explorer with the critical and important updates directed to remote code execution and elevation of priviledge.  Most of the updates will require a restart.

    Reminder

    As has been widely publicized, support ended for Windows XP and Office 2003 on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014. Note also that Microsoft Security Essentials will no longer be available for download for Windows XP.

    As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...